From a49b734f878bbcd39060a7ef0313566617a6e527 Mon Sep 17 00:00:00 2001 From: lozaning Date: Mon, 22 Apr 2024 15:42:00 -0500 Subject: [PATCH 1/5] Create ESPNow_Sniffing --- ESPNow_Sniffing | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 ESPNow_Sniffing diff --git a/ESPNow_Sniffing b/ESPNow_Sniffing new file mode 100644 index 0000000..1dbbee9 --- /dev/null +++ b/ESPNow_Sniffing @@ -0,0 +1,19 @@ +Challenge Name: ESPNow Sniffing + +Hardware required to run the challenge: 2 ESP32 of any variety + +Flags: there are two flags to this challenge. The first flag is contained/transmitted in an ESPNow broadcast packet. +The second flag is being sent point to point in a direct message between the two ESP32. + + +Software Setup: I will provide a sketch that can be used to flash both ESP32 + +Flag Rolling procedure: Im open to any feedback ya'll have on what the easiest eay to roll flags for you are is. +The two things i can think of are to connect the esp32 to a computer over their serial ports and enable flag setting through sending strings to the devices. +A more stand alone solution could be that when initially powered on the units wait until a client connects via regular wifi and accesses a web page to set the flag. + + +potential methodologies to capture the flags: +For the broadcast flag, an ESP32 could be programmed to print any data it sees in ESPNow broadcasts via serial to the players machine. +For the point to point flag, players are encouraged to figure out how create new or leverage existing tools to get a regular 802.11 wifi card to be able to monitor and +parse ESPNow data. From 2b7eb81f987c1124640c7e4466ac3389eafad3cb Mon Sep 17 00:00:00 2001 From: lozaning Date: Wed, 24 Apr 2024 09:26:36 -0500 Subject: [PATCH 2/5] Create IoT Device RCE --- IoT Device RCE | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 IoT Device RCE diff --git a/IoT Device RCE b/IoT Device RCE new file mode 100644 index 0000000..d0be8fa --- /dev/null +++ b/IoT Device RCE @@ -0,0 +1,20 @@ +Challenge Name: IoT Device RCE + + +Hardware required to run the challenge: Evowera Planck Mini: https://www.amazon.com/evowera-Toothbrush-Reminder-Compatible-Detachable/dp/B0B3XQN59S +I can provide two of these devices + +Flags: Players are given a Flag to enter into the scoreboard after exploiting an insecure wireless firmware update process as demontrated by writing their player or team name to the device's screen + + +Software Setup: The evowera toothbrush runs the default factory firmware. + +Flag Rolling procedure: I can provide a bash script that can be run that will reflash the the copy of the factory firmware I will provide + + +potential methodologies to capture the flags: +Players will need to sniff wifi beacon requests for devices with espressif OUI's to determine the network the devices are attempting to connect to +After standing up a network for the device to connect to, player will need to intercept and respond to several http get requests +The player will need to create their own esp32 firmware that writes their team or player name to the devices screen +After several successfull API responses the user gets the oportunity to respond with a URL for a bin file for an OTA update +If the firmware update is successfull and the screen shows the player or team name, a village staff member will give the player the flag to enter into the scoreboard From 717d4a765f751ce9197d970acccbe8485d62e98d Mon Sep 17 00:00:00 2001 From: lozaning Date: Mon, 17 Jun 2024 20:17:47 -0500 Subject: [PATCH 3/5] Delete ESPNow_Sniffing --- ESPNow_Sniffing | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 ESPNow_Sniffing diff --git a/ESPNow_Sniffing b/ESPNow_Sniffing deleted file mode 100644 index 1dbbee9..0000000 --- a/ESPNow_Sniffing +++ /dev/null @@ -1,19 +0,0 @@ -Challenge Name: ESPNow Sniffing - -Hardware required to run the challenge: 2 ESP32 of any variety - -Flags: there are two flags to this challenge. The first flag is contained/transmitted in an ESPNow broadcast packet. -The second flag is being sent point to point in a direct message between the two ESP32. - - -Software Setup: I will provide a sketch that can be used to flash both ESP32 - -Flag Rolling procedure: Im open to any feedback ya'll have on what the easiest eay to roll flags for you are is. -The two things i can think of are to connect the esp32 to a computer over their serial ports and enable flag setting through sending strings to the devices. -A more stand alone solution could be that when initially powered on the units wait until a client connects via regular wifi and accesses a web page to set the flag. - - -potential methodologies to capture the flags: -For the broadcast flag, an ESP32 could be programmed to print any data it sees in ESPNow broadcasts via serial to the players machine. -For the point to point flag, players are encouraged to figure out how create new or leverage existing tools to get a regular 802.11 wifi card to be able to monitor and -parse ESPNow data. From a38055ef7943c6bd0e127c60791397d0fdde3ec5 Mon Sep 17 00:00:00 2001 From: lozaning Date: Mon, 17 Jun 2024 20:17:53 -0500 Subject: [PATCH 4/5] Delete IoT Device RCE --- IoT Device RCE | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 IoT Device RCE diff --git a/IoT Device RCE b/IoT Device RCE deleted file mode 100644 index d0be8fa..0000000 --- a/IoT Device RCE +++ /dev/null @@ -1,20 +0,0 @@ -Challenge Name: IoT Device RCE - - -Hardware required to run the challenge: Evowera Planck Mini: https://www.amazon.com/evowera-Toothbrush-Reminder-Compatible-Detachable/dp/B0B3XQN59S -I can provide two of these devices - -Flags: Players are given a Flag to enter into the scoreboard after exploiting an insecure wireless firmware update process as demontrated by writing their player or team name to the device's screen - - -Software Setup: The evowera toothbrush runs the default factory firmware. - -Flag Rolling procedure: I can provide a bash script that can be run that will reflash the the copy of the factory firmware I will provide - - -potential methodologies to capture the flags: -Players will need to sniff wifi beacon requests for devices with espressif OUI's to determine the network the devices are attempting to connect to -After standing up a network for the device to connect to, player will need to intercept and respond to several http get requests -The player will need to create their own esp32 firmware that writes their team or player name to the devices screen -After several successfull API responses the user gets the oportunity to respond with a URL for a bin file for an OTA update -If the firmware update is successfull and the screen shows the player or team name, a village staff member will give the player the flag to enter into the scoreboard From 989896e718e8031922b5565ee2517c07e7063a33 Mon Sep 17 00:00:00 2001 From: lozaning Date: Mon, 17 Jun 2024 20:23:38 -0500 Subject: [PATCH 5/5] Create CVE-2024-30078 --- CVE-2024-30078 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 CVE-2024-30078 diff --git a/CVE-2024-30078 b/CVE-2024-30078 new file mode 100644 index 0000000..fe725d1 --- /dev/null +++ b/CVE-2024-30078 @@ -0,0 +1,14 @@ + +Challenge Name: WiFi RCE! + +Hardware required to run the challenge: a windows laptop with wifi that is unpatched for CVE-2024-30078 + +Flags: I could see this going two ways, either you pop calc.exe or some other thing to demonstrate RCE for a village staffer, OR there could just be a text file on the Desktop that contains the flag + + +Software Setup: Install windows 11 with minimal updates, and then add all the MS update server to the hosts file with bad IPs + +Flag Rolling procedure: Just change the flag that is saved in a text file on the desktop, or if we wanna just make it so that you pop calc.exe for a village staffer then there wouldnt really be one. + +potential methodologies to capture the flags: +Fam I got no clue, if anyone has the PoC for this they havent shared it with me yet.